I''ve setup shorewall with openvpn. This machine is not the default
gateway
on the LAN and I''ve got it working, but not fully within the shorewall
configs. I need to figure out how to represent this in shorewall''s
configuration files.
My setup:
Road Warrior --> internet --> Firewall --> local lan w/ 2 subnets,
openvpn/shorewall server is a pc
|
|--------> VPN to another
site w/ 2 subnets
OpenVPN is using its own subnet (43.x) and coming directly into a PC (has an
IP on 43.x and 40.15). Example problem: If the "Remote PC" sends an
http
request to a server on 40.10, shorewall sends the request directly to 40.10
but that server doesn''t know anything about subnet 43.x so it sends its
response to the gateway at 40.1 which knows about the subnet but
doesn''t
know anything about the request.
I overcame that by setting up a routing rule based on the source address (I
believe that is what this is doing). I gleamed this from a site trying to
solve a similar problem. The following makes everything route correctly.
# ip route add table 70 to 172.16.43.0/24 dev tun0
# ip route add table 70 to default via 172.16.40.1 dev eth0
# ip rule add from 172.16.43.0/24 table 70 priority 20
# ip route flush cache
Now, if I do a traceroute from the "Remote PC" to 40.10, it will show
me
routing through the openvpn/shorewall server (40.15) to the LAN gateway
(40.1) and back to 40.10.
How do I represent this in shorewall''s config files? Can I?
C.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
Chris Wood wrote:> I''ve setup shorewall with openvpn. This machine is not the default gateway > on the LAN and I''ve got it working, but not fully within the shorewall > configs. I need to figure out how to represent this in shorewall''s > configuration files. > > My setup: > > Road Warrior --> internet --> Firewall --> local lan w/ 2 subnets, > openvpn/shorewall server is a pc > | > |--------> VPN to another > site w/ 2 subnets > > OpenVPN is using its own subnet (43.x) and coming directly into a PC (has an > IP on 43.x and 40.15). Example problem: If the "Remote PC" sends an http > request to a server on 40.10, shorewall sends the request directly to 40.10 > but that server doesn''t know anything about subnet 43.x so it sends its > response to the gateway at 40.1 which knows about the subnet but doesn''t > know anything about the request. > > I overcame that by setting up a routing rule based on the source address (I > believe that is what this is doing). I gleamed this from a site trying to > solve a similar problem. The following makes everything route correctly. > > # ip route add table 70 to 172.16.43.0/24 dev tun0 > # ip route add table 70 to default via 172.16.40.1 dev eth0 > # ip rule add from 172.16.43.0/24 table 70 priority 20 > # ip route flush cache > > Now, if I do a traceroute from the "Remote PC" to 40.10, it will show me > routing through the openvpn/shorewall server (40.15) to the LAN gateway > (40.1) and back to 40.10. > > How do I represent this in shorewall''s config files? Can I?Can anyone make heads or tails of this? I''m having problems doing so. The ASCII art was created with a variable pitch font so it is totally unfathomable and without an understanding of the network topology, the addition of the routes shown makes no sense. Usually these sorts of problems are solved by SNAT, not routing. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Mon, Feb 23, 2009 at 6:20 PM, Tom Eastep <teastep@shorewall.net> wrote:> Chris Wood wrote: > > I''ve setup shorewall with openvpn. This machine is not the default > gateway > > on the LAN and I''ve got it working, but not fully within the shorewall > > configs. I need to figure out how to represent this in shorewall''s > > configuration files. > > > > > > Can anyone make heads or tails of this? I''m having problems doing so. > > The ASCII art was created with a variable pitch font so it is totally > unfathomable and without an understanding of the network topology, the > addition of the routes shown makes no sense. Usually these sorts of > problems are solved by SNAT, not routing. > >The ascii art doesn''t add a lot of info, I tried to describe it all in the paragraph as trying to do the diagram proved too complex to make sense. I thought about using NAT, but, from what I understand, avoiding NAT is preferred and introducing NAT in this situation puts me in a double NAT scenario (NAT at the client end and NAT again at the LAN side. To me, it seemed to simplify things to add a route rather an introducing another layer of NAT. Maybe the newer networking equipment and software handles NAT better than it did 5-6 years ago when I did this last time. C. ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Chris Wood wrote:> I''ve setup shorewall with openvpn. This machine is not the default > gateway on the LAN and I''ve got it working, but not fully within the > shorewall configs. I need to figure out how to represent this in > shorewall''s configuration files.Chris says that we can ignore the ASCII art and still understand the problem. So I will delete the ASCII art.> OpenVPN is using its own subnet (43.x) and coming directly into a PC > (has an IP on 43.x and 40.15).OK -- we have a ''PC'' that runs an OpenVPN server and maybe Shorewall. We don''t know for sure because the expression ''OpenVPN with Shorewall'' doesn''t tell us if these products are running on the same system or on different systems. But at least we now have this picture: (Remote PC) <-> (43.x:PC:40.15) And we know that an OpenVPN server (or client?) is running on ''PC''.> Example problem: If the "Remote PC" > sends an http request to a server on 40.10,The picture expands to the following where ''RPC'' is ''Remote PC'': (RPC) <-> (PC) <-> (40.10)> shorewall sends the request directly to 40.10Shorewall does not send requests! -- Shorewall (actually Netfilter) either allows requests or it drops requests or it rejects requests. At the same time ''Shorewall'' (actually Netfilter) may rewrite the SOURCE IP address or the DEST IP address.> but that server doesn''t know anything about subnet 43.xWe will assume ''that server'' means 40.10...> so it sends its response to the gateway at 40.1Ah -- so now we have: (RPC) <-> PC <-> (40.10) <-> (40.1) Where apparently (40.1) is the default gateway for 40.10.> which knows about the subnetHOW? Only ''PC'' knows the route to 43.*.> but doesn''t know anything about the request.That''s clear but of questionable relevance.> > I overcame that by setting up a routing rule based on the source > address (I believe that is what this is doing). I gleamed this from > a site trying to solve a similar problem. The following makes > everything route correctly. > > # ip route add table 70 to 172.16.43.0/24 <http://172.16.43.0/24> dev > tun0 # ip route add table 70 to default via 172.16.40.1 dev eth0 # > ip rule add from 172.16.43.0/24 <http://172.16.43.0/24> table 70 > priority 20 # ip route flush cache > >We can only assume that the above exercise was undertaken on ''PC''. But it is 40.10 that doesn''t know where to send the response back to 43.x! So doing anything with routing on PC doesn''t effect the ability of 40.10 to send responses back through 40.15. So was the above done on 40.1 (firewall)? Is that where Shorewall is running?> Now, if I do a traceroute from the "Remote PC" to 40.10, it will show > me routing through the openvpn/shorewall server (40.15) to the LAN > gateway (40.1) and back to 40.10. > > How do I represent this in shorewall''s config files? Can I?I will guess that Shorewall is running on the ''firewall'' (40.1); that''s the only thing that makes sense-- if that is the case, the article http://www.shorewall.net/Multiple_Zones.html should help. But then the issue has nothing to do with Shorewall and can be solved by adding a single ''net'' route on 40.1 (assuming that the systems on the LAN will accept ICMP redirects from 40.1); use the distribution''s network configuration tool on 40.1 to add the route. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
----- Original Message ----> From: Tom Eastep <teastep@shorewall.net> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > Sent: Tuesday, February 24, 2009 1:03:37 PM > Subject: Re: [Shorewall-users] Routing traffic to LAN gateway? > > Chris Wood wrote: > > I''ve setup shorewall with openvpn. This machine is not the default > > gateway on the LAN and I''ve got it working, but not fully within the > > shorewall configs. I need to figure out how to represent this in > > shorewall''s configuration files. > > Chris says that we can ignore the ASCII art and still understand the > problem. So I will delete the ASCII art. >tom, u are a really easy going person... ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Chris Wood wrote:> I''ve setup shorewall with openvpn. This machine is not the default > gateway on the LAN and I''ve got it working, but not fully within the > shorewall configs. I need to figure out how to represent this in > shorewall''s configuration files. >This morning, I reread my response from last night and I think that I now understand what is going on here.> > OpenVPN is using its own subnet (43.x) and coming directly into a PC > (has an IP on 43.x and 40.15). Example problem: If the "Remote PC" > sends an http request to a server on 40.10, shorewall sends the request > directly to 40.10 but that server doesn''t know anything about subnet > 43.x so it sends its response to the gateway at 40.1 which knows about > the subnet but doesn''t know anything about the request.Translation: Shorewall and OpenVPN both run on ''a PC'' (which I will refer to as ''The PC'' in the remainder of this post); OpenVPN serves the remote network 43.x. ''The gateway'' (40.1) is the default gateway for the LAN in question. ''The gateway'' apparently does connection tracking and dislikes only seeing half of the traffic in a connection. In particular, it doesn''t like seeing a SYN,ACK without having seen a corresponding SYN going in the opposite direction. ''The gateway'' has a route to 43.x via 40.15.> > I overcame that by setting up a routing rule based on the source address > (I believe that is what this is doing). I gleamed this from a site > trying to solve a similar problem. The following makes everything route > correctly. > > # ip route add table 70 to 172.16.43.0/24 <http://172.16.43.0/24> dev > tun0 > # ip route add table 70 to default via 172.16.40.1 dev eth0 > # ip rule add from 172.16.43.0/24 <http://172.16.43.0/24> table 70 > priority 20 > # ip route flush cache > > Now, if I do a traceroute from the "Remote PC" to 40.10, it will show me > routing through the openvpn/shorewall server (40.15) to the LAN gateway > (40.1) and back to 40.10. > > How do I represent this in shorewall''s config files? Can I?In /etc/shorewall/providers: #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS Kludge 70 1 - eth0 172.16.40.1 loose If you are running Shorewall-perl 4.2, you can leave the MARK column empty ("-") since you don''t need to use packet marking to select this provider. In /etc/shorewall/route_rules: #SOURCE DEST PROVIDER PRIORITY 172.16.43.0/24 0.0.0.0/0 Kludge 1000 What is this doing? When a connection request comes in from a VPN client, it is sent to ''the PC''. We are uncertain about whether it goes through ''The gateway'' first but suspect not due to Chris mentioning "coming directly into a PC". There it is decrypted and sent to ''The gateway'' (that is the point of routing table 70 and its accompanying rule). ''The gateway'' takes note of the connection then turns around and sends the packet back onto the LAN to the final destination (server). When a response is returned, it is sent to ''The gateway'' who immediately sends it to ''the PC''. There it is encrypted and encapsulated and sent out to the remote VPN client. It works, even though it is rather ugly. As I mentioned in my very first response to Chris, this problem is normally solved using SNAT. /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS eth0 172.16.43.0/24 172.16.40.15 SNAT has the disadvantage, however, that all VPN traffic appears to servers on the LAN as if it originated on ''The PC''. It has the advantage though that en clair VPN traffic doesn''t get needlessly routed through ''The gateway''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Tue, Feb 24, 2009 at 8:50 AM, Tom Eastep <teastep@shorewall.net> wrote:> Chris Wood wrote: > > I''ve setup shorewall with openvpn. This machine is not the default > > gateway on the LAN and I''ve got it working, but not fully within the > > shorewall configs. I need to figure out how to represent this in > > shorewall''s configuration files. > > > > This morning, I reread my response from last night and I think that I > now understand what is going on here. > > > > > OpenVPN is using its own subnet (43.x) and coming directly into a PC > > (has an IP on 43.x and 40.15). Example problem: If the "Remote PC" > > sends an http request to a server on 40.10, shorewall sends the request > > directly to 40.10 but that server doesn''t know anything about subnet > > 43.x so it sends its response to the gateway at 40.1 which knows about > > the subnet but doesn''t know anything about the request. > > Translation: > > Shorewall and OpenVPN both run on ''a PC'' (which I will refer to as ''The > PC'' in the remainder of this post); OpenVPN serves the remote network 43.x. > > ''The gateway'' (40.1) is the default gateway for the LAN in question. > ''The gateway'' apparently does connection tracking and dislikes only > seeing half of the traffic in a connection. In particular, it doesn''t > like seeing a SYN,ACK without having seen a corresponding SYN going in > the opposite direction. ''The gateway'' has a route to 43.x via 40.15. > >Tom, Yes, you decrypted my email correctly! I will give your suggestion a shot. I do want to know the remote PC addresses on my LAN so that I can restrict or modify their network access based on their subnet. That''s why I didn''t go the NAT route. Maybe I''m being overly anal. Thanks for taking the time to try to figure out what I was saying. I rewrote my original email about 3-4 times before sending it trying to make it clear how my configuration was setup. It was a bit confusing even to me. Chris ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H